CVE-2023-54360

MEDIUM

Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54360. PoCs published by CraCkEr.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Joomla JLex Review 6.0.1 by injecting malicious JavaScript into the 'review_id' URL parameter. The payload triggers a confirmation dialog when the mouse hovers over the manipulated element.

Description

Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft.

Exploits (1)

exploitdb WORKING POC
by CraCkEr · textwebappsphp
https://www.exploit-db.com/exploits/51645

This exploit demonstrates a reflected XSS vulnerability in Joomla JLex Review 6.0.1 by injecting malicious JavaScript into the 'review_id' URL parameter. The payload triggers a confirmation dialog when the mouse hovers over the manipulated element.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Joomla JLex Review 6.0.1
No auth needed
Prerequisites: victim interaction (clicking a crafted URL)
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-51645
https://www.exploit-db.com/exploits/51645
Product product
Official Product Homepage
https://jlexart.com/
Product product
Product Reference
https://extensions.joomla.org/extension/jlex-review/
Third Party Advisory third-party-advisory
VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter
https://www.vulncheck.com/advisories/joomla-jlex-review-reflected-xss-via-review-id-parameter

Scores

CVSS v3 6.1
EPSS 0.0004
EPSS Percentile 11.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Jlexart/Joomla JLex Review 6.0.1
Published Apr 09, 2026
Tracked Since Apr 10, 2026